[FOLIO-2286] X-Okapi-Module-Tokens response header providing access to unauthenticated users Created: 25/Sep/19 Updated: 03/Jun/20 Resolved: 26/Sep/19 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P1 |
| Reporter: | Craig McNally | Assignee: | Jakub Skoczen |
| Resolution: | Done | Votes: | 0 |
| Labels: | q3.2-2019, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||
| Sprint: | CP: sprint 73 | ||||||||||||||||
| Development Team: | Core: Platform | ||||||||||||||||
| Description |
OverviewThe X-Okapi-Module-Tokens response header is being returned when making calls to endpoints which have modulePermissions defined. This header includes an token which can be used like an X-Okapi-Token granting access without ever authenticating. ReproducerMake a call w/o specifying an X-Okapi-Token to an endpoint which has modulePermissions - NOTE that an X-Okapi-Token isn't provided here...: $ curl $OKAPI/circulation/loans -H "X-okapi-tenant: diku" -v -w'\n' * Trying 52.72.80.49... * Connected to folio-testing-okapi.aws.indexdata.com (52.72.80.49) port 443 (#0) * found 148 certificates in /etc/ssl/certs/ca-certificates.crt * found 597 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: *.aws.indexdata.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=*.aws.indexdata.com * start date: Thu, 23 May 2019 00:00:00 GMT * expire date: Tue, 23 Jun 2020 12:00:00 GMT * issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon * compression: NULL * ALPN, server accepted to use http/1.1 > GET /circulation/loans HTTP/1.1 > Host: folio-testing-okapi.aws.indexdata.com > User-Agent: curl/7.47.0 > Accept: */* > X-okapi-tenant: diku > < HTTP/1.1 403 Forbidden < Date: Wed, 25 Sep 2019 21:24:33 GMT < Content-Type: text/plain < Transfer-Encoding: chunked < Connection: keep-alive < X-Okapi-Module-Tokens: {"mod-circulation-17.0.0-SNAPSHOT.383":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVTkRFRklORURfVVNFUl9fMTAuMzYuMS45NTo0NTk3OF9fMjAxOS0wOS0yNVQyMToyNDozMy4yNjcrMDAwMCIsIm1vZHVsZSI6Im1vZC1jaXJjdWxhdGlvbi0xNy4wLjAtU05BUFNIT1QuMzgzIiwiZXh0cmFfcGVybWlzc2lvbnMiOlsibW9kcGVybXMuY2lyY3VsYXRpb24ubG9hbnMuY29sbGVjdGlvbi5nZXQiXSwicmVxdWVzdF9pZCI6IjE5MDk5N1wvY2lyY3VsYXRpb24iLCJ0ZW5hbnQiOiJkaWt1In0.sGQCtHxwNNi3gSWZctCULRHiHx3O4Sq2xJoT1i64jYw","_":"eyJhbGciOiJIUzI1NiJ9.eyJkdW1teSI6dHJ1ZSwic3ViIjoiVU5ERUZJTkVEX1VTRVJfXzEwLjM2LjEuOTU6NDU5NzhfXzIwMTktMDktMjVUMjE6MjQ6MzMuMjY3KzAwMDAiLCJyZXF1ZXN0X2lkIjoiMTkwOTk3XC9jaXJjdWxhdGlvbiIsInRlbmFudCI6ImRpa3UifQ.w1t8bHOzlAd5EOYeLBOjU8DW9A0DgjvJqVrkds_Ha7U"} < X-Okapi-Trace: GET mod-authtoken-2.3.0-SNAPSHOT.56 http://10.36.1.95:9132/circulation/loans : 403 3207us < * Connection #0 to host folio-testing-okapi.aws.indexdata.com left intact Access requires permission: circulation.loans.collection.get The 403 response makes sense except for the X-Okapi-Module-Tokens header... when decoded, this particular call gives a token providing the following permissions: modperms.circulation.loans.collection.get which expands to a very long list:
[
"circulation-storage.loans.collection.get",
"circulation-storage.loan-policies.item.get",
"circulation-storage.loan-policies.collection.get",
"inventory-storage.items.item.get",
"inventory-storage.items.collection.get",
"inventory-storage.locations.item.get",
"inventory-storage.locations.collection.get",
"inventory-storage.location-units.institutions.item.get",
"inventory-storage.location-units.campuses.item.get",
"inventory-storage.location-units.libraries.item.get",
"inventory-storage.location-units.libraries.collection.get",
"inventory-storage.holdings.collection.get",
"inventory-storage.holdings.item.get",
"inventory-storage.instances.collection.get",
"inventory-storage.instances.item.get",
"inventory-storage.material-types.collection.get",
"inventory-storage.material-types.item.get",
"inventory-storage.service-points.collection.get",
"inventory-storage.service-points.item.get",
"users.collection.get",
"users.item.get",
"inventory-storage.locations.collection.get",
"accounts.collection.get",
"usergroups.collection.get",
"usergroups.item.get"
]
The recent fix for
|
| Comments |
| Comment by Craig McNally [ 25/Sep/19 ] |
|
We verified that
Unfortunately, I doubt all modules affected by this are in a position to simply upgrade to the latest RMB version. |
| Comment by Jakub Skoczen [ 26/Sep/19 ] |
|
EDITED
We will expedite the fix anyway through
|
| Comment by Jakub Skoczen [ 26/Sep/19 ] |
|
Craig McNally have you tried using the leaked tokens to call an API in FOLIO? |
| Comment by Jakub Skoczen [ 26/Sep/19 ] |
|
Craig McNally Adam Dickmeiss Ok, I've verfied that is also a remote exploit. I won't be posting full repro steps here. |
| Comment by Adam Dickmeiss [ 26/Sep/19 ] |
|
This should be solved by
|
| Comment by Jakub Skoczen [ 26/Sep/19 ] |
|
Verified by Craig McNally |